IETF Logo Mail Archive

Re: Admission Control to the IETF 78 and IETF 79 Networks

Chris Elliott <chelliot@pobox.com> Mon, 12 July 2010 19:13 UTC

Return-Path: <chelliot@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 949F73A6BD4 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 12:13:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.274
X-Spam-Level:
X-Spam-Status: No, score=-0.274 tagged_above=-999 required=5 tests=[AWL=-0.929, BAYES_20=-0.74, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjlJLbzM6ZY5 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 12:13:06 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by core3.amsl.com (Postfix) with ESMTP id E68883A6B92 for <ietf@ietf.org>; Mon, 12 Jul 2010 12:13:05 -0700 (PDT)
Received: by gxk3 with SMTP id 3so3091627gxk.31 for <ietf@ietf.org>; Mon, 12 Jul 2010 12:13:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:references:in-reply-to :mime-version:content-transfer-encoding:content-type:message-id:cc :x-mailer:from:subject:date:to; bh=5QIa59EpoILHkTulub5mV0NyVqvR3pQNm3qAoJwgZD8=; b=rfRIXJirrHbYyqEcESKUo/ibqqGlvOO331rv74g3FBAzsB/p8dsDIrDFhvYkumIFVS mgEdbA0LkIYyVZMOQakel4g0b9HwByrL9nAklsvu1RCV+kX4dP5WE2daQmfVfPx7cSzw dZXhjaSlIIe16++DTmIB8rgnxmQ77lnenUC6E=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:references:in-reply-to:mime-version :content-transfer-encoding:content-type:message-id:cc:x-mailer:from :subject:date:to; b=BOiC3e9ZLEdMlChMrfCmMJUD3++s1O/B4NUp2s00EPDxkpJVA3wbbxK1UoxaZXeeOI nA3msWkVCrFFfKbtfUu3w6FlqpJR0oGZYC1c97uCgbVvtRbIZjAv8LnReIp+12EwhbLx 46PPxQFD/hOAGiz6itrJglHy3qNehWt9KvXaQ=
Received: by 10.229.191.5 with SMTP id dk5mr8576931qcb.231.1278961991036; Mon, 12 Jul 2010 12:13:11 -0700 (PDT)
Received: from [10.0.1.9] (cpe-066-057-101-100.nc.res.rr.com [66.57.101.100]) by mx.google.com with ESMTPS id fb41sm20921609qcb.3.2010.07.12.12.13.09 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 12 Jul 2010 12:13:09 -0700 (PDT)
Sender: Chris Elliott <chelliot@gmail.com>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org> <AANLkTil357pxy8tD49Q9ds9QVlSjo9h3p3akSN9UF1XS@mail.gmail.com> <AANLkTil0YIS9H-vYxIJJS_OC7tAlcCLQQycskFcLE71V@mail.gmail.com> <AANLkTilVAn3j-iXbdytu9en-OWAjlCFQSyQy1jiY1Zq1@mail.gmail.com> <AANLkTilCRrRhYVBNKdkaBudacJDCbBx3_48D9_U2RaSM@mail.gmail.com> <AANLkTinqiZaI-g042rVX0veLSpsVho0smH3XMkg6E7d_@mail.gmail.com>
In-Reply-To: <AANLkTinqiZaI-g042rVX0veLSpsVho0smH3XMkg6E7d_@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8A293)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <F08DB980-41E2-41A8-AF03-1E917A2B3903@pobox.com>
X-Mailer: iPhone Mail (8A293)
From: Chris Elliott <chelliot@pobox.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
Date: Mon, 12 Jul 2010 15:12:13 -0400
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, "tytso@mit.edu" <tytso@mit.edu>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 19:13:08 -0000

Phillip,

I read all of all your emails on this thread before I replied the first time, just not your book.

We will be and we have been "eat[ing] the WiFi authentication dog-food" at IETF meetings. And it's gotten easier each time.

You do realize, don't you, that we are offering WPA/WPA2 with enterprise authentication and encryption as our recommended way of getting onto the network, right? We are only offering a web portal so that folks that can't do WPA* can authenticate. And we've been offering WPA* enterprise on most IETF networks for many years. The difference this time is we are going to unique user credentials.

I anticipate the time it will take for most attendees to authenticate will be the time it takes to type in a username and password--far under a half an hour, unless the attendee is Stephen Hawking, in which case I will personally help the attendee authenticate! There will be those with problems. That's why there's a help desk.

Chris.

P.S. bring a copy of your book to Maastricht and I'll bring a copy of mine and we'll do a prisoner exchange. :-)


--
Chris Elliott
CCIE # 2013


On Jul 12, 2010, at 2:35 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote:

> Well maybe if you read the full thread rather than just cherry picking
> parts of it you would have understood the point better.
> 
> My original argument was that I think the IETF should eat the WiFi
> authentication dog-food here because the current product tastes like
> poo and the only way things are going to get any better is if a bunch
> of network engineers start to see that there is a real problem.
> 
> 
> I have also proposed a scheme that would be applicable for use at the
> IETF. Basically the shortest distance from where we are to where we
> want to be is to use self signed certs and use the fingerprint of the
> cert as a unique device ID. But that is only addressing the specifics
> of how to make the scheme work at IETF, which is really not very
> interesting in the grand scheme of things. What is more interesting
> would be a scheme that can be relied on to work anywhere without half
> an hour of fiddling and jiggering the configuration - as will be the
> Maastricht/Beijing experience.
> 
> The first year they started doing this at RSA the help desk had a
> pretty long queue and much time was spend debugging crappy code. The
> basic experience being that Macs work fine, Windows works fine with
> native drivers. But corporate configuration laptops with device
> drivers written by the WiFi card provider and/or VPN products were
> massively flaky..
> 
> 
> On Mon, Jul 12, 2010 at 1:53 PM, Chris Elliott <chelliot@pobox.com> wrote:
>> On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker <hallam@gmail.com>
>> wrote:
>>> 
>>> No, if you read my book you would see the scheme I am proposing.
>> 
>> 
>> I hope your book is rather less opaque than your attempts to explain your
>> technique here.
>>> 
>>> The problem with current MAC addresses is that they are not
>>> trustworthy. That is accepted. If MAC addresses were not trivially
>>> forged then the existing WiFi scheme would work fine.
>>> 
>>> What I am saying is that if people got really serious about usability
>>> and in particular the WiFi design had been controlled by a Steve Jobs
>>> style person who demanded an absolute commitment to a first class
>>> usability approach, then we could have a scheme that did not require
>>> end-user configuration.
>>> 
>>> Instead every device would have been issued with a device cert to bind
>>> the MAC address to a public key during manufacture. This is already a
>>> requirement for cable modems. The cost is of the order of cents per
>>> device if the certs are installed during manufacture. Maintenance
>>> costs get much higher as soon as the device has left the factory.
>>> 
>>> The function of the certificate is to stop the MAC address being
>>> trivially forged. OK yes, if you design the protocols wrong then you
>>> can end up with Cisco being able to intercept on the wire traffic. But
>>> if you do the job right you can prevent interception even if the
>>> manufacturer defects.
>> 
>> I thought we were talking about how to do this for the meeting in Maastricht
>> and then in Beijing. I agree that manufacturers could make this easier for
>> all of us. But some of us live in the real world and must make things work
>> today.
>> I'd be glad to listen to an explanation of how to make this work with the
>> current devices that IETF attendees will be bringing to Maastricht and
>> Beijing.
>> Chris.
>> 
>>> 
>>> And as for my waist - yes there does seem to be rather more of it than
>>> there should be, but I don't think that is Dogbert's fault. I blame
>>> the cookies at IETF break time.
>>> 
>>> 
>>> On Mon, Jul 12, 2010 at 11:56 AM, Chris Elliott <chelliot@pobox.com>
>>> wrote:
>>>> Phillip,
>>>> In your earlier email, you state:
>>>>> 
>>>>> If the designers had actual brains instead of bits of liver strapped
>>>>> round their waist by dogbert then all that would be necessary to
>>>>> securely authenticate to the network is to give either the MAC address
>>>>> of the computer or the fingerprint of the cert.
>>>> 
>>>> Note that you say "either". Now you state:
>>>>> 
>>>>> Of course the MAC address is trivially forged. That is the function of
>>>>> the certificate.
>>>> 
>>>> Maybe you should check your waist.
>>>> Chris.
>>>> 
>>>> --
>>>> Chris Elliott
>>>> chelliot@pobox.com
>>> 
>>> --
>>> Website: http://hallambaker.com/
>> 
>> 
>> 
>> --
>> Chris Elliott
>> chelliot@pobox.com
>> CCIE # 2013
> 
> 
> 
> -- 
> Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email